pcap_tools 0.0.8 → 0.0.9

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. data/README.markdown +6 -0
  2. data/bin/pcap_tools +10 -2
  3. data/lib/pcap_tools/loader.rb +34 -20
  4. data/lib/pcap_tools/packet_processors/tcp.rb +5 -0
  5. data/pcap_tools.gemspec +1 -1
  6. metadata +2 -2
data/README.markdown CHANGED
@@ -127,3 +127,9 @@ The request and response object have some new attributes
127
127
  For the response object body, the following "Content-Encoding" type are honored :
128
128
 
129
129
  * gzip
130
+
131
+ # FAQ
132
+
133
+ * `pcap_tools` found nothing in my pcap_files. Try to remove the wiresark profile, and re launch: `rm -rf $HOME/.wireshark/profiles/pcap_tools`.
134
+
135
+
data/bin/pcap_tools CHANGED
@@ -15,7 +15,7 @@ OptionParser.new do |opts|
15
15
  end
16
16
 
17
17
  opts.on("--tshark_path", "Path to tshark executable") do |x|
18
- OPTIONS[:tshark_path] = x
18
+ OPTIONS[:tshark] = x
19
19
  end
20
20
 
21
21
  opts.on("--one-tcp-stream [index]", Integer, "Display only one tcp stream") do |x|
@@ -26,6 +26,14 @@ OptionParser.new do |opts|
26
26
  OPTIONS[:mode] = m
27
27
  end
28
28
 
29
+ opts.on("--pdml", "Use pdml file as input instead of pcap") do |x|
30
+ OPTIONS[:pdml] = true
31
+ end
32
+
33
+ opts.on("--keep_retransmission", "Do not ignore retransmitted packets") do |x|
34
+ OPTIONS[:keep_retransmission] = true
35
+ end
36
+
29
37
  end.parse!
30
38
 
31
39
  def format_time t
@@ -135,7 +143,7 @@ else
135
143
  end
136
144
 
137
145
  ARGV.each do |f|
138
- PcapTools::Loader::load_file(f, {:tshark => OPTIONS[:tshark_path]}) do |index, packet|
146
+ PcapTools::Loader::load_file(f, OPTIONS) do |index, packet|
139
147
  processor.inject index, packet
140
148
  end
141
149
  end
data/lib/pcap_tools/loader.rb CHANGED
@@ -8,13 +8,14 @@ module PcapTools
8
8
 
9
9
  class MyParser < ::Ox::Sax
10
10
 
11
- def initialize block
11
+ def initialize opts, block
12
12
  @current_packet_index = 0
13
13
  @current_packet = nil
14
14
  @current_processing = nil
15
15
  @current_proto_name = nil
16
16
  @current_field_name = nil
17
17
  @block = block
18
+ @opts = opts
18
19
  end
19
20
 
20
21
  def attr name, value
@@ -47,6 +48,10 @@ module PcapTools
47
48
  @current_packet[:tcp_flags][:ack] = value == "1"
48
49
  elsif @current_proto_name == "tcp" && @current_field_name == "tcp.flags.syn"
49
50
  @current_packet[:tcp_flags][:syn] = value == "1"
51
+ elsif @current_proto_name == "tcp" && @current_field_name == "tcp.analysis.retransmission"
52
+ @current_packet[:tcp_retransmission] = true
53
+ elsif @current_proto_name == "tcp" && @current_field_name == "tcp.analysis.lost_segment"
54
+ @current_packet[:tcp_lost_segment] = true
50
55
  end
51
56
  elsif name == :value
52
57
  if @current_proto_name == "fake-field-wrapper" && @current_field_name == "data"
@@ -83,6 +88,9 @@ module PcapTools
83
88
  $stderr.puts "Malformed packet #{@current_packet_index}"
84
89
  return
85
90
  end
91
+ if @current_packet[:tcp_retransmission] && !@opts[:keep_retransmission]
92
+ return
93
+ end
86
94
  raise "No data found in packet #{@current_packet_index}, protocols found #{@current_packet[:protos]}" if @current_packet[:data].nil? && @current_packet[:size] > 0
87
95
  @current_packet.delete :protos
88
96
  @block.call @current_packet_index, @current_packet
@@ -93,27 +101,33 @@ module PcapTools
93
101
  end
94
102
 
95
103
  def self.load_file f, options = {}, &block
96
- tshark_executable = options[:tshark] || "tshark"
97
- accepted_protocols = ["geninfo", "tcp", "ip", "eth", "sll", "frame", "null"]
98
- accepted_protocols += options[:accepted_protocols] if options[:accepted_protocols]
99
- profile_name = "pcap_tools"
100
- profile_dir = "#{ENV['HOME']}/.wireshark/profiles/#{profile_name}"
101
- status = POpen4::popen4("#{tshark_executable} -v") do |stdout, stderr, stdin, pid|
102
- end
103
- raise "#{tshark_executable} not found" unless status
104
- unless File.exist? "#{profile_dir}/disabled_protos"
105
- status = POpen4::popen4("#{tshark_executable} -G protocols") do |stdout, stderr, stdin, pid|
106
- list = stdout.read.split("\n").map { |x| x.split(" ").last }.reject { |x| accepted_protocols.include? x }
107
- FileUtils.mkdir_p profile_dir
108
- File.open("#{profile_dir}/disabled_protos", "w") { |io| io.write(list.join("\n") + "\n") }
104
+ if options[:pdml]
105
+ f = File.open(f, 'rb')
106
+ Ox.sax_parse(MyParser.new(options, block), f)
107
+ f.close
108
+ else
109
+ tshark_executable = options[:tshark] || "tshark"
110
+ accepted_protocols = ["geninfo", "tcp", "ip", "eth", "sll", "frame", "null", "ethertype"]
111
+ accepted_protocols += options[:accepted_protocols] if options[:accepted_protocols]
112
+ profile_name = "pcap_tools"
113
+ profile_dir = "#{ENV['HOME']}/.wireshark/profiles/#{profile_name}"
114
+ status = POpen4::popen4("#{tshark_executable} -v") do |stdout, stderr, stdin, pid|
109
115
  end
110
- raise "#{tshark_executable} execution error when listing protocols" unless status.exitstatus == 0
111
- end
112
- status = POpen4::popen4("#{tshark_executable} -n -C #{profile_name} -T pdml -r #{f}") do |stdout, stderr, stdin, pid|
113
- Ox.sax_parse(MyParser.new(block), stdout)
114
- $stderr.puts stderr.read
116
+ raise "#{tshark_executable} not found" unless status
117
+ unless File.exist? "#{profile_dir}/disabled_protos"
118
+ status = POpen4::popen4("#{tshark_executable} -G protocols") do |stdout, stderr, stdin, pid|
119
+ list = stdout.read.split("\n").map { |x| x.split(" ").last }.reject { |x| accepted_protocols.include? x }
120
+ FileUtils.mkdir_p profile_dir
121
+ File.open("#{profile_dir}/disabled_protos", "w") { |io| io.write(list.join("\n") + "\n") }
122
+ end
123
+ raise "#{tshark_executable} execution error when listing protocols" unless status.exitstatus == 0
124
+ end
125
+ status = POpen4::popen4("#{tshark_executable} -n -C #{profile_name} -T pdml -r #{f}") do |stdout, stderr, stdin, pid|
126
+ Ox.sax_parse(MyParser.new(options, block), stdout)
127
+ $stderr.puts stderr.read
128
+ end
129
+ raise "#{tshark_executable} execution error with file #{f}" unless status.exitstatus == 0
115
130
  end
116
- raise "#{tshark_executable} execution error with file #{f}" unless status.exitstatus == 0
117
131
  end
118
132
 
119
133
  end
data/lib/pcap_tools/packet_processors/tcp.rb CHANGED
@@ -20,6 +20,7 @@ module PcapTools
20
20
  @streams[stream_index] = {
21
21
  :first => packet,
22
22
  :data => [],
23
+ :tcp_lost_segment => false,
23
24
  }
24
25
  elsif packet[:tcp_flags][:fin] || packet[:tcp_flags][:rst]
25
26
  if @streams[stream_index]
@@ -35,6 +36,10 @@ module PcapTools
35
36
  packet[:type] = (packet[:from] == @streams[stream_index][:first][:from] && packet[:from_port] == @streams[stream_index][:first][:from_port]) ? :out : :in
36
37
  packet.delete :tcp_flags
37
38
  @streams[stream_index][:data] << packet if packet[:size] > 0
39
+ if packet[:tcp_lost_segment]
40
+ @streams.delete stream_index
41
+ $stderr.puts "Ignoring tcp stream #{stream_index}, tcp segments are missing"
42
+ end
38
43
  end
39
44
  end
40
45
  end
data/pcap_tools.gemspec CHANGED
@@ -2,7 +2,7 @@ require 'rake'
2
2
 
3
3
  Gem::Specification.new do |s|
4
4
  s.name = 'pcap_tools'
5
- s.version = '0.0.8'
5
+ s.version = '0.0.9'
6
6
  s.authors = ['Bertrand Paquet']
7
7
  s.email = 'bertrand.paquet@gmail.com'
8
8
  s.summary = 'Tools for extracting data from pcap files'
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: pcap_tools
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.8
4
+ version: 0.0.9
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2014-11-13 00:00:00.000000000 Z
12
+ date: 2014-11-15 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: popen4